A recent paper by Kevin Lee and Arvind Narayanan of Princeton University concluded that “online services should no longer equate a correctly-entered SMS passcode with successful user authentication” after they examined the ease with which the previous user of a phone number could have their identity hijacked after their number had been recycled. The academics acquired a sample of 259 phone numbers from two US mobile operators, Verizon and T-Mobile, and found that 171 were already tied to the online accounts of former users, meaning they could potentially be used for the receipt of one time passwords and other kinds of identity checks. Personal information about most of the users could be found by doing an online search using the phone number, and 100 of the numbers were associated with login credentials that had been breached and which could also be found online.
The researchers illustrated the issues by observing how many people receive calls intended for the former users of a number. Most of us would consider this an annoyance, but it also represents a privacy threat because the new user is inadvertently being given information about the behaviors and purchases of the former user. The study found that 10 percent of numbers received sensitive information through calls or text messages intended for the former user. The dangers appeared not to be properly understood by either Verizon or T-Mobile, as their customer service staff provided many contradictory answers when researchers posed as customers enquiring about their policies on recycling numbers. To their credit, both firms updated their approach when they saw the results of the study.
The risk that a specific individual could be targeted is heightened by the observation that data breaches and lax security often mean a person’s phone number can be found online. Two notorious recent examples involve a Facebook data breach that divulged the phone number of CEO Mark Zuckerberg amongst many others, and the personal mobile phone number of UK Prime Minister Boris Johnson being openly shared online for 15 years. Neither the Verizon nor the T-Mobile US self-service portals allowed customers to choose a specific new number, but determined individuals could submit repeated queries into the Verizon portal until they were offered the number they wanted, aided by the fact that the interface was designed to avoid presenting a number if it had previously been rejected. The researchers considered that there was particular danger to victims of domestic abuse, as their abusers are more likely to exhibit the persistence required to take control of their victim’s past phone number.
The academics identified eight ways that a bad actor could utilize a recycled number to infringe the privacy or security of their target. They made a series of recommendations to reduce the risk, including telcos placing limits on how many times a customer can query available numbers, how many times they can change number, and giving inactive customers the option to ‘park’ their unused phone number for a period of time.
The draft of Lee and Narayanan’s paper, entitled “Security and Privacy Risks of Number Recycling at Mobile Carriers in the United States” can be freely obtained from here.